[+] Aurora::ProcessesConfig

[*] Fixed stupid thread leak from a non-ipc semaphore being used under cow pages
This commit is contained in:
Reece Wilson 2024-11-23 06:46:26 +00:00
parent 8adb2a476a
commit 2ed05ce8dd
3 changed files with 71 additions and 42 deletions

View File

@ -118,21 +118,6 @@ namespace Aurora
AuOptional<AuString> optDefaultBrand { "Aurora SDK Sample" };
bool bForceOverlappedUtilsToDelegatedThreadPool { false };
bool bIsIntranetTrusted { false };
bool bBypassInternetBlockCheckOpenFile { false }; // Disables the file origin check under the AuProcesses::OpenXXX APIs.
// The AuFS trust APIs are to be used with project files that may contain build/init code hooks, and to be used with untrusted files that may contain executable code.
// By default, AuProcesses::s assume any file downloaded from the internet or an instant messenger is defacto malware thanks to shitty Linux programs and historical Windows sandbox escapes.
// Think this is overkill? Nah. Linux devs are dumber than a bag of rocks: https://nvd.nist.gov/vuln/detail/cve-2023-43641, https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4#t=0.001
// And then theres: https://nvd.nist.gov/vuln/detail/cve-2021-4214 ( we cant trust libpng )
// : https://nvd.nist.gov/vuln/detail/cve-2023-4863 ( we cant trust libvpx )
// : https://nvd.nist.gov/vuln/detail/cve-2020-17541 (+2022-37769, 2023-37837, et al) ( we cant trust libjpegturbo )
// (and, no, dumbasses shilling rust: no language or design goals are ever going to change runtime exploits abusing opted-out bound-checks of compressed formats for the sake of perf over integrity)
// (for now, we just have to say, "fuck anything that came from the internet" rather than astroturfing coolaid solutions. )
// (moving to a "everything is malware unless it came from me"-model is where we need to be at. internet advertising companies, namely google and adobe, have low standards for security. for - )
// (- instance, chrome is full of use after free issues because they hire cheap eastern-bloc developers that constantly mess up vector iteration and raw pointer life-times. google killed flash- )
// (- despite having the capability to sandbox it for over a decade, see: nacl. flash and java drivebys were a thing for way too long. the formats we use are overly complex garbage. )
// ( we cant trust anyone. )
// ( wake me up when OS sandboxing isnt a joke despite almost 4 decades of MMU protections; and when we start adopting easy to implement, memory-optimized, and structurally sound formats again. )
};
struct DebugConfig
@ -284,6 +269,25 @@ namespace Aurora
bool bEnablePreload { true };
};
struct ProcessesConfig
{
// Disables the file origin check under the AuProcesses::OpenXXX APIs.
// The AuFS trust APIs are to be used with project files that may contain build/init code hooks, and to be used with untrusted files that may contain executable code.
// By default, AuProcesses::s assume any file downloaded from the internet or an instant messenger is defacto malware thanks to shitty Linux programs and historical Windows sandbox escapes.
// Think this is overkill? Nah. Linux devs are dumber than a bag of rocks: https://nvd.nist.gov/vuln/detail/cve-2023-43641, https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4#t=0.001
// And then theres: https://nvd.nist.gov/vuln/detail/cve-2021-4214 ( we cant trust libpng )
// : https://nvd.nist.gov/vuln/detail/cve-2023-4863 ( we cant trust libvpx )
// : https://nvd.nist.gov/vuln/detail/cve-2020-17541 (+2022-37769, 2023-37837, et al) ( we cant trust libjpegturbo )
// (and, no, dumbasses shilling rust: no language or design goals are ever going to change runtime exploits abusing opted-out bound-checks of compressed formats for the sake of perf over integrity)
// (for now, we just have to say, "fuck anything that came from the internet" rather than astroturfing coolaid solutions. )
// (moving to a "everything is malware unless it came from me"-model is where we need to be at. internet advertising companies, namely google and adobe, have low standards for security. for - )
// (- instance, chrome is full of use after free issues because they hire cheap eastern-bloc developers that constantly mess up vector iteration and raw pointer life-times. google killed flash- )
// (- despite having the capability to sandbox it for over a decade, see: nacl and win8/10. flash and java drivebys were a thing for too long. the formats we use are overly complex garbage. )
// ( we cant trust anyone. )
// ( wake me up when OS sandboxing isnt a joke despite almost 4 decades of MMU protections; and when we start adopting easy to implement, memory-optimized, and structurally sound formats again. )
bool bBypassInternetBlockCheckOpenFile { false };
};
struct IOConfig
{
AuUInt32 uProtocolStackDefaultBufferSize { 64 * 1024 };
@ -369,6 +373,7 @@ namespace Aurora
AuAlignTo<128, LinuxConfig> linuxConfig;
AuAlignTo<128, Win32Config> win32Config;
AuAlignTo<128, ProcessConfig> processConfig;
AuAlignTo<128, ProcessesConfig> processesConfig;
AuAlignTo<128, IOConfig> ioConfig;
AuAlignTo<128, DummyConfig> padding;

View File

@ -14,7 +14,7 @@
namespace Aurora::Processes
{
static void UnixOpenAsyncThread(AuString uri, int iType)
static void UnixOpenPartiallyBlocking(AuROString uri, int iType)
{
bool bDirExists {};
bool bFileExists {};
@ -32,7 +32,7 @@ namespace Aurora::Processes
return;
}
if (bFileExists && !gRuntimeConfig.fio.bBypassInternetBlockCheckOpenFile)
if (bFileExists && !gRuntimeConfig.processesConfig.bBypassInternetBlockCheckOpenFile)
{
if (AuFS::IsFileBlocked(uri))
{
@ -69,14 +69,7 @@ namespace Aurora::Processes
bool bIsForcedDBUS = optStringB && optStringB.Value() == "YES";
bool bAllowDbus = !optStringC && (AuFS::FileExists("/usr/bin/gdbus") || AuFS::FileExists("/bin/gdbus"));
if (bIsFireJail || bIsForcedDBUS || bAllowDbus)
{
gUseDShid = true;
}
else
{
gUseDShid = false;
}
gUseDShid = (bIsFireJail || bIsForcedDBUS || bAllowDbus);
});
if (!gUseDShid)
@ -93,37 +86,40 @@ namespace Aurora::Processes
{
AuFS::GoUpToSeparator(out, uri);
}
uri = AuString(out);
uri = out;
}
}
AuSemaphore semaphore;
auto pSemaphore = AuLoop::NewLSSemaphoreSlow();
if (!pSemaphore)
{
SysPushErrorIOResourceFailure();
return;
}
volatile int type2 = iType;
auto iFork = fork();
if (iFork == 0)
{
setsid();
// isn't posix fun?
PosixDoForkHooks();
PosixShutup();
PosixFDYeetus();
auto pBaseURI = (char *)SysAllocateLarge(uri.size() + 1);
if (pBaseURI)
{
AuMemcpy(pBaseURI, uri.c_str(), uri.size() + 1);
AuMemcpy(pBaseURI, uri.data(), uri.size());
pBaseURI[uri.size()] = 0;
}
int iType = type2;
// ...super fun
semaphore->Unlock(1);
// ...the original iType and uri buffer will be trashed from this point onwards
// isn't posix fun?
setsid();
pSemaphore->AddOne();
// the original iType and uri buffer will be trashed from this point onwards
PosixFDYeetus();
PosixDoForkHooks();
PosixShutup();
// and as if dealing with posix isn't bad enough...
// here's some more redhat/lennart poettering/dbus/xdg bullshid
// here's some more redhat/lennart poettering/dbus/xdg bullshid requiring stringified leaked closexecless file descriptors
if (gUseDShid)
{
const char *pExecString {};
@ -193,7 +189,7 @@ namespace Aurora::Processes
}
else if (iFork > 0)
{
semaphore->Lock();
pSemaphore->WaitOn();
}
}
}
@ -205,7 +201,35 @@ namespace Aurora::Processes
return;
}
#if 0
// TODO: If we are to truly care about the AuFS::XXXExists stats, create an ordered work queue for a singlar thread,
// like the NT version of this file. Should anyone want to write a xdg-open-like util, it's possible for this
// detached thread to be forcefully terminated before the setsid(). A singular thread would guarantee order
// and hide any (networked?) filesystem stalls.
//
// - On Linux caching away these issues -
//
// Linux aggressively caches inodes leading idiots to believe linux io is somehow superior to NT and FreeBSD
// - its not, *spawn thread* *spawn thread*, tell u what, *kthread_create* - even though it's really just
// usecases like this, opens without lock advisories, where Linux pretends to be faster through caching we
// probably shouldn't expect, want, or desire. Who wants heavy caching under an OS that randomly OOM kills?
// Who wants defacto unsafe removal storage? Who wants Linus malding over "database dbs" for daring to want
// less abstractions in the form of "i know best" caches - """"optimizations"""""? Linshit is held together
// by god damn sellotape, their file systems are a clusterfuck, there's no efficient IO scheduler, and ofc
// everything god damn thing has to block. I digress..
//
// On the plus side, our stats should be basically free memcpys of user-prewarmed directory nodes between IPC
// boundaries. I mean, the end-user didn't just guess the realpath, no? The calling thread didn't just guess the
// existence of a file, did it? Odds are, we wont need to hit any form of IO before the real work under a fork.
// I guess we can trust Linuxs crappy caching to nuke the requirement of a thread pool; unlike Win32, that needs
// a COM initialized thread and will probably ad-hoc link in shell libraries [slowly].
//
// It is therefore the case we shouldn't need a worker thread for Linux.
//
AuThreads::Spawn(std::bind(&UnixOpenAsyncThread, AuString(uri), iType), true);
#else
UnixOpenPartiallyBlocking(uri, iType);
#endif
}
AUKN_SYM void OpenUri(const AuROString &uri)

View File

@ -59,7 +59,7 @@ namespace Aurora::Processes
continue;
}
if (bFileExists && !gRuntimeConfig.fio.bBypassInternetBlockCheckOpenFile)
if (bFileExists && !gRuntimeConfig.processesConfig.bBypassInternetBlockCheckOpenFile)
{
if (AuFS::IsFileBlocked(uri))
{